Versa SASE Client Release Notes for Windows
These release notes describe features, enhancements, and fixes in all releases of the Versa SASE client software for Windows operating system. For known issues, see Known Issues below.
The SASE client supports the following Windows OS versions:
- Windows 11 (all versions)
- Windows 10, 10.0.16299 and later
- Windows 7 Professional Version 6.1.7601
- Windows 8.1 Version 6.3 (OS build 9600)
- Windows Server 2012R2 6.3.9600
- Windows Server 2016 Version 1607 (OS build 14393.693)
- Windows Server 2019 Version 10.0.17763
Product Documentation
The Versa Networks product documentation is located at https://docs.versa-networks.com.
Install the Versa SASE Client
Known Issues
When the device resumes from Sleep mode, sometimes the error message, "Versa Secure Access Service not running", displays when starting the client. Usually, the service restarts automatically. This issue resolves if you click OK on the error message and then restart the client. If the Secure Access Service does not start automatically, you can manually restart it from the Services window. To do this, right-click on Versa Secure Access Service, and then click Start:
Release 7.9.1
Released January 31, 2025
New Features
- Add support for endpoint data loss prevention (DLP) to prevent data exfiltration activities (copy and paste, capture screenshot, and use of USB). For DLP settings, click Data Loss Prevention from the Enterprise menu, and then click the toggle buttons to enable or disable the options, as shown below:
- Add support to revoke certificates configured under the revocation list on the server during re-registration and synchronization.
- Add support to use "prelogon" as a username for a prelogon tunnel when authentication is device certificate-based.
- Add support to monitor the user session and auto disconnect tunnel when a user signs out.
- Add support to use a custom port for monitoring applications in DEM.
- Add support to pre-configure the default device ID for a device.
- To enable, issue the VersaSecureAccessClientConsole.exe client --device_id device-ID CLI command.
- Add support to use application names with spaces while adding excluded applications using the CLI.
- Add support for Audit Logs and Export Logs from the system tray, as shown below:
- Add support to automatically select the first matching certificate from the issuer list for device certificate authentication.
- Add support to bypass automatic certificate selection.
- To enable, issue the VersaSecureAccessClientConsole.exe client --allow_user_to_select_cert true CLI command.
- Add support to set the default FQDN and default enterprise name, and to enable certificate-only authorization.
- To set default FQDN, issue the VersaSecureAccessClientConsole.exe prelogon --portal_fqdn fqdn CLI command.
- To set the default enterprise name, issue the VersaSecureAccessClientConsole.exe prelogon --enterprise_name enterprise CLI command.
- To enable certificate-only authorization, issue the VersaSecureAccessClientConsole.exe prelogon --enable_certonlyauth true CLI command.
Enhancements
- Improve application security by encrypting inter-process communication messages using the dynamic key unique to a device, and restricting it to Versa-only processes through certificate validation.
- Improve CrowdStrike status detection for EIP collection by using API provided by CrowdStrike.
- Improve SSL tunnel state detection using configurable heart-beat interval through the CLI.
- Extend diagnostics capture during system power and network change events.
- Improve audit log information.
Fixed Bugs
- Auto Reconnect does not function intermittently when a user logs in after the device is in Sleep mode.
- Multiple OTP requests due to unexpected invalidation of authentication token.
- Custom logo displays incorrectly.
- Application hangs when Auto Register is enabled with retrieval of user information set to automatic.
- Consider only last entity certificates for certificate-based authentication.
- Group connect failure for prelogon mode.
- Logged in user information does not map after the device switches to Sleep mode.
- EIP collection does not trigger post-system Sleep event.
- Bypass entire loopback IP address range from App Tunnel driver instead of processing only from 127.0.0.1/32.
- Minor UI issues
Release 7.8.12
Released November 13, 2024
Enhancements
- Accept multiple certificate issuers to retrieve usernames from a Smart Card certificate.
- To enable the feature, issue the following CLI command with the certificate issuer name and the field from which to retrieve the user name:
fetch_username_from_certificate true --cert_issuer issuer_name --username_field CN/SAN (the username field can be CN or SAN). - To add a new certificate issuer name, issue the VersaSecureAccessClientConsole.exe client --add_user_cert_issuer issuer-name CLI command.
Note that if you run the --fetch_username_from_certificate CLI command again, it resets the existing certificate issuer values. - To remove a certificate issuer name, issue the VersaSecureAccessClientConsole.exe client --remove_user_cert_issuer issuer-name CLI command.
- To enable the feature, issue the following CLI command with the certificate issuer name and the field from which to retrieve the user name:
Fixed Bugs
- Improve maximum transmission unit (MTU) calculations to handle instances where the MTU value is between the MTU ranges of underlay and tunnel, and also when the gateway is not reachable.
- Minor UI updates.
Release 7.8.11
Released October 30, 2024
Enhancements
- Add support to dynamically update the maximum transmission unit (MTU) for a tunnel interface based on the MTU value of the connected underlay.
- Add support to use the system default browser for SAML authentication instead of the in-app browser. When you enable this, the client displays the system default browser to follow HTTP redirection to the IDP login URL:
- To enable, issue the VersaSecureAccessClientConsole.exe client --use_system_browser true CLI command.
- To disable, issue the VersaSecureAccessClientConsole.exe client --use_system_browser false CLI command.
- Add support to handle multiple certificate issuers for device certificate-based authentication.
- Add support to discover unique domains of the serving VOS node during portal registration and gateway group connect. Then, use these domains for API calls to ensure that the same VOS node handles a full transaction.
- Add support for mandatory user authentication after an administrative (gateway side) disconnection. For example, in case of a gateway policy violation, VOS disconnects the tunnel based on the policy and the user must authenticate when logging into the client again.
Fixed Bugs
- TrustedSubnet is excluded when the configuration includes TrustedSubnet but not TrustedNetworkHostName.
- Handle multiple user authentications when the authentication token management CLI flags 'Clear Auth Token on User Disconnect' and 'Clear Auth Token on Versa Service Restart' are enabled, and user disconnects and restarts the machine.
- Long wait time to delete an enterprise.
- Client sets the pre-logon Metric parameter value to 0, when this value is not set in the pre-logon configuration file.
Release 7.8.10
Released August 22, 2024
Enhancements
- Add support for new XDR/EDR category in endpoint information profile (EIP).
- Improve audit logs to capture more details about tunnel disconnect.
- Add support for the following multifactor authentication (MFA) and authentication token management features:
- Clear authentication token when user manually disconnects tunnel or if it disconnects when the auto-disconnect interval expires:
- To enable, issue the VersaSecureAccessClientConsole.exe client --clear_auth_cookie_on_user_disconnect true CLI command.
- To disable, issue the VersaSecureAccessClientConsole.exe client --clear_auth_cookie_on_user_disconnect false CLI command.
- Clear authentication token when Versa service restarts (for example, system restart):
- To enable, issue the VersaSecureAccessClientConsole.exe client --clear_auth_cookie_on_service_restart true CLI command.
- To disable, issue the VersaSecureAccessClientConsole.exe client --clear_auth_cookie_on_service_restart false CLI command.
- Clear authentication token when user attempts to connect after a session times out on exceeding the idle timeout interval:
- To enable, issue the VersaSecureAccessClientConsole.exe client --user_session_idle_timeout interval in seconds (to disable, set interval to 0).
- Clear authentication token when user manually disconnects tunnel or if it disconnects when the auto-disconnect interval expires:
- Add support to report device serial number and device ID to gateway.
- Add support for default, dark, and light display modes from the App Settings menu:
- To change display options using the CLI, issue VersaSecureAccessClientConsole.exe client --appearance default/light/dark CLI commands. For example, issue the VersaSecureAccessClientConsole.exe client --appearance light CLI command for a light display:
- To change display options using the CLI, issue VersaSecureAccessClientConsole.exe client --appearance default/light/dark CLI commands. For example, issue the VersaSecureAccessClientConsole.exe client --appearance light CLI command for a light display:
- Enable TLS or DTLS tunnels by default.
- Include audit logs for failures to add NRPT rules or DNS suffixes.
- Add support for IP stickiness when connecting to TLS/DTLS tunnel.
- Activate network diagnostics if tunnel disconnects due to unknown reasons and enter log in the PostTunnelDisconnectNetworkDiagnostics.log file.
Fixed Bugs
- DEM to collect application (TCP/HTTP) telemetry information even when ICMP ping to the application endpoint fails.
- Issue in connecting users whose user profile folder name is different from the username.
- Display complete tool tip text even when client is disconnected.
- Alert notifications are not consistent due to WebSocket connection failure between the client and the gateway.
- Add DNS to the tunnel adapter when connecting to TLS/DTLS tunnel.
Release 7.8.9
Released June 18, 2024
Enhancements
- Add support to allow single sign-on with primary OS account (AllowSingleSignOnUsingOSPrimaryAccount) in the in-app browser to authenticate users when MFA is enabled for conditional access.
- Notify users about terminating the connection when a user exceeds the maximum number of concurrent logins from multiple devices. You configure the number of concurrent user logins from the gateway. The default value is 5.
- Add support to create unique EAP IDs for users who log in from different devices.
- Allow consent through an acceptable use policy (AUP) before establishing a gateway connection.
- Add support to configure IPsec transforms for a prelogon tunnel.
- Add the DIA flag in the Digital Experience Monitoring (DEM) report for applications that are routed directly to the internet through the underlay interface.
Fixed Bugs
- Improve EIP collection to identify the exact running state of applications after reboot.
- Exclude service feature does not exclude traffic when a tunnel is connected.
- Client does not automatically reconnect after a device reboots, even when Always On is enabled.
- Read User Principal name from the certificate on a smart card.
- Improve reading accuracy of registry path entries when collecting EIP data.
- Error while verifying TOTP or OTP during configuration synchronization.
- Improve behavior to handle user preference when user is registered with multiple tenants and Always On is enabled.
- Improve error handling while establishing a TLS/DTLS tunnel.
- Issues with adding routes when establishing a tunnel, when the login username and profile image path do not match.
- Issue with network change event and internal communication channel.
- UI improvements and fixes.
Release 7.8.8
Released April 30, 2024
Enhancements
- Add support for TLS Tunnel and DTLS Tunnel for Windows 10 and later from the App Settings menu.
By default, TLS and DTLS tunnels are disabled. When you enable TLS Tunnel or DTLS tunnel, the client tries to establish a tunnel based on the tunnel type order it receives from the portal. If the first attempt fails, the client tries to connect to the next tunnel type in the configuration order. If you have administrator privileges, you can enable or disable these tunnels using the CLI:- To enable TLS tunnel, issue the VersaSecureAccessClientConsole.exe client --enable_tls_tunnel true CLI command.
- To disable TLS tunnel, issue the VersaSecureAccessClientConsole.exe client --enable_tls_tunnel false CLI command.
- To enable DTLS tunnel, issue the VersaSecureAccessClientConsole.exe client --enable_dtls_tunnel true CLI command.
- To disable DTLS tunnel, issue the VersaSecureAccessClientConsole.exe client --enable_dtls_tunnel false CLI command.
- Add support for Sync Account from the Enterprise menu, to synchronize client configuration with the SASE portal. You can perform this action even if the client is not connected to the network.
- Add support to enable or disable real-time EIP collection from the App Settings menu. By default, real-time EIP collection is disabled.
- Add support to have a client automatically disconnect an established tunnel at a specified time of the day.
- Add support to read the username from a Smart Card certificate. When you enable this and set the default FQDN and Enterprise Name, the client starts automatic registration.
- To enable, issue the VersaSecureAccessClientConsole.exe client --fetch_username_from_certificate true --cert_issuer certificate-issuer-name --username_field CN | SAN --san_match_regex regex CLI command.
- To disable, issue the VersaSecureAccessClientConsole.exe client --fetch_username_from_certificate false --cert_issuer certificate-issuer-name --username_field ;CN | SAN --san_match_regex regex CLI command.
- Improve Auto Hide so that the SASE client application is hidden based on screen activity.
- When you install Release 7.8.8, you cannot stop the Windows services that the client supports. To downgrade from Release 7.8.8 to Releases 7.8.7 and earlier, you must uninstall Release 7.8.8. For example, the following screenshot shows that the Stop option for EIP services is disabled after installing Release 7.8.8.
- Add EIP support for prelogon.
- Add support for EIP custom process information.
Fixed Bugs
- Application exclusion does not work after restarting the device from Sleep mode.
- Windows Domain displays as null in the EIP posture after restarting the device from Sleep mode.
- Auto Logon feature is enabled by default when you ;enable SSO.
- Manual EIP collection does not clear the state when the user session does not exist.
- Issues with retrieving the Windows home directory when the device has multiple temporary drives.
Release 7.8.7
Released February 9, 2024
Enhancements
- Improve user experience during underlay change when client is connected to a trusted network.
- Add support to display audit log for important client actions from the App Settings > Log Settings > Audit Logs menu.
For example:
- Add support to exclude traffic based on service, port, and IP address.
- To exclude traffic from a service, issue the VersaSecureAccessClientConsole.exe service --exclude_service service-name CLI command. For example, VersaSecureAccessClientConsole.exe service --exclude_service [TCP::1002|10.0.0.1/24].
- To reset the setting, issue the VersaSecureAccessClientConsole.exe service --reset_exclude_service service-name CLI command. For example, VersaSecureAccessClientConsole.exe service --reset_exclude_service [TCP::1002|10.0.0.1/24].
- Add real-time reporting for endpoint information profile (EIP).
- Add support for auto-register with browser-based SSO, when SSO is enabled and the default FQDN is configured.
- Add support for auto-register when auto-logon is enabled, and auto-logon type and default FQDN are configured.
- Add support to prioritize gateway-assisted trusted network detection over trusted hostname-based network detection, when both networks are configured.
- To enable this prioritization, issue the VersaSecureAccessClientConsole.exe client --prefer_gateway_assisted_tnd true CLI command.
- Add support to enable always-on in pre-logon mode. To enable this feature:
- Set the PrelogonCertOnlyAuth field to true in the pre-logon configuration file that you upload when you enable pre-logon for the client. For more information, see Configure Pre-Logon for the Versa SASE Client.
- Enable Always-On from the Enterprise > Account Details > Always Connected menu.
Fixed Bugs
- Issue when web socket connects to a gateway that does not support DEM or if DEM is disabled.
- Some resources do not close during an upgrade.
Release 7.8.6
Released December 22, 2023
Enhancements
- Add support to set the default username for first time registration. To set the default username, issue the VersaSecureAccessClientConsole.exe client --set_default_username username CLI command. Note that if the username contains spaces, enclose it in quotation marks (" ").
- Add support to display build details in the UI. To view, click Settings > Enterprise > Account Details > Software Update.
- Add support to allow or block DNS traffic for excluded applications in FAIL-CLOSE mode.
- To enable, issue the VersaSecureAccessClientConsole.exe service --Allow_Excluded_Application_traffic_on_fail_close true CLI command.
- To disable, issue the VersaSecureAccessClientConsole.exe service --Allow_Excluded_Application_traffic_on_fail_close false CLI command.
- Add support to configure the reminder time for automatic disconnect. The default value is 15 minutes. Previously the time was fixed at 5 minutes.
- To update the automatic disconnect reminder time, issue the VersaSecureAccessClientConsole.exe client --auto_disconnect_reminder_time time CLI command.
- To reset the automatic disconnect reminder time, issue the VersaSecureAccessClientConsole.exe client --reset_auto_disconnect_reminder_time CLI command.
Fixed Bugs
- Improve trusted network identification when switching from the public internet to a trusted network.
- When connecting to a group, force users to authenticate if Remember Credentials is set to false.
- Application does not close automatically during upgrade.
- UI displays incorrect group name intermittently.
- When the client is in a trusted network and if there is a power mode change, the client attempts to reconnect frequently.
Release 7.8.5
Released November 6, 2023
Enhancements
- Add option to connect from the system tray to establish a tunnel based on the last enterprise and profile that user selects.
- Add support for Auto Hide window based on user inactivity.
- Enhance the connectivity logic used to connect to the next available gateway during an error in creating a tunnel.
- Add support to capture device name from registered devices to identify unique devices that a user registers.
Fixed Bugs
- Issue with captive portal detection.
- Disconnect pre-logon tunnel based on the configuration while connected to a trusted network.
- Attempt websocket reconnection when disconnected while in a trusted network.
Release 7.8.4
Released September 14, 2023
Enhancements
- Users can disconnect while in trusted network.
- Minor UI changes.
Fixed Bugs
- Allow sharing of EIP data when connected to a trusted network.
- Inconsistent captive portal detection.
- Reduce client action time when network change events are received from the OS.
- Update UI to display group or gateway name during connection.
- Improve resiliency to act on internal communication messages when device switches to sleep mode and then resumes.
Release 7.8.3
Released June 30, 2023
Enhancements
- Add support to allow or block ICMP traffic in FAIL_CLOSE mode.
- To enable, issue the VersaSecureAccessClientConsole.exe service --block_icmp_on_fail_close true CLI command.
- To disable, issue the VersaSecureAccessClientConsole.exe service --block_icmp_on_fail_close false CLI command.
- Add Refresh button so that you can manually update Connected Statistics window.
- Sort group name based on the priority sum of the participating gateway.
- Add support to automatically close the SASE client UI 10 seconds after a successful VPN connection.
- To enable, issue the VersaSecureAccessClientConsole.exe client --hide_on_connect true CLI command.
- To disable, issue the VersaSecureAccessClientConsole.exe client --hide_on_connect false CLI command.
- Add support to display a popup browser for SAML authentication.
- To enable, issue the VersaSecureAccessClientConsole.exe client --prefer_popout_browser true CLI command.
- To disable, issue the VersaSecureAccessClientConsole.exe client --prefer_popout_browser false CLI command.
Fixed Bugs
- Remove stale NRPT rules when upgrading from Releases 7.5.7 and earlier.
- When you configure an IP address instead of the FQDN, and during an internal redirection, captive portal detection does not work.
Release 7.8.2
Released May 17, 2023
Enhancements
- Add support for authentication using a device certificate in pre-logon mode.
- Minor UI and default values changes in the configuration.
Fixed Bugs
- Fix error that occurs when installing Release 7.8.0 on Windows 7 devices.
Release 7.8.1
Released April 21, 2023
Enhancements
- You can specify the list of applications to bypass AppTunnelDriver traffic handling:
- To add applications to the bypass list, issue the VersaSecureAccessClientConsole.exe service -- apptunnel_bypass_application CLI command.
- To reset the bypass list, issue the VersaSecureAccessClientConsole.exe service --apptunnel_bypass_application_reset CLI command.
- To display saved bypass applications, issue the VersaSecureAccessClientConsole.exe service --apptunnel_list_bypassed_applications CLI command.
- Add support for tunnel autodisconnect after a configured amount of time. You configure this in the Versa Secure Access portal and share the configure with SASE client during registration or reregistration. To add or update the tunnel autodisconnect interval, issue the VersaSecureAccessClientConsole.exe client --auto_disconnect_interval CLI command. To reset the autodisconnect interval, issue the VersaSecureAccessClientConsole.exe client --reset_auto_disconnect_interval CLI command. The CLI options are available for all registered enterprises. If you set the interval at the server and client CLI levels, the server configuration is preferred.
- FIPS compliance is disabled by default. If FIPS is enabled by the SASE client, installing Release 7.8.1 disables it and restores ciphers. If you enabled FIPS manually or another application enabled it, there is no action when you install this version of the client.
- Screen displays auto-update and auto-disconnect configurations received from the server.
- You can specify a timeout value for HTTP calls by issuing the VersaSecureAccessClientConsole.exe global --http_timeout seconds CLI command. The value range is 30 through 300 seconds.
- Client captures and posts enterprise-specific EIP data.
- Add support to reset password when client uses Versa IDP for user authentication.
- Improvement in auto-update file download.
- Minor UI enhancements.
Fixed Bugs
- When the Systray application performs auto reregister, the client ignores the custom port value entered during registration.
- Fetching geographic coordinates delays connections on a few machines.
Release 7.8
Released March 7, 2023
New Features
- Add support for the auto-update feature, which checks for and notifies you about the latest client versions that are available for download. When auto-update is enabled, each time you log in, the client checks for the latest client version. When it detects that a new version is available, a message displays on the client UI recommending that you upgrade the client to the latest version before a certain date, which is the seventh day from when the message displays. If you do not upgrade by the end of that day, the client stops connecting to any VPN gateway until you upgrade to the latest version.
- Add support for the preferred client version to receive a notice to install the preferred version if it is not already installed.
- Add support for tamper protection, which, if enabled on the server side, does not allow you to uninstall the client, delete the client account, or delete any files from the installation directory. To disable, click the Tamper Protection toggle button in the Account Details window, and then enter the tamper-protection authentication key.
- You can exclude Versa root CA during installation by issuing the VersaSASEClient_version_x64.exe /SKIP_VERSA_ROOT_CA CLI command.
- You can use the Display Gateway option during portal registration on a VOS device to display or hide gateways. If disabled, the Gateways drop-down list in the main client window displays only gateway groups and not gateways.
- Add support for device certificate-based authentication.
- Add support for strict tunnel mode to redirect all traffic through one tunnel. If disabled, specific traffic is routed through a tunnel and the rest of the traffic is routed through WiFi or Ethernet. You can configure this feature from the VSA portal.
Enhancements
- If only one certificate matches, the client automatically chooses it without displaying a popup window for users to select a certificate.
- Registration support using IPv4 address. In Releases 7.8 and earlier, FQDN is required.
- Automatically uninstall Versa services that are not supported in the newly installed client version.
Fixed Bugs
- Use a specific version of stateless DLL by registering to the global assembly cache (GAC) to avoid third-party issues.
Release 7.7.4
Released February 27, 2023
New Features
- You can enable single sign-on (SSO) to avoid users entering login credentials during registration and re-registration process when the authentication method is SAML. During SAML authentication, the client does not store user credentials and if users have to re-register, they have to authenticate manually using IDP. To enable SSO when you register the client to the portal, issue the VersaSecureAccessClientConsole.exe global --enable_sso true CLI command. By default, SSO is disabled, and when disabled, the user is prompted to enter credentials during SAML-based registration and reregistration. When you enable SSO, the client attempts a browser-based SSO using the Windows login credentials and tries to avoid prompting users for credentials. To disable SSO, issue the VersaSecureAccessClientConsole.exe global --enable_sso false CLI command.
- Add support for server-configured IPsec rekey time. The default value is 3600 seconds.
Fixed Bugs
- Underlay routes to exclude certain traffic from the full tunnel are sometimes not installed.
Release 7.7.3
Released January 23, 2023
New Features
- Exclude subnet feature allows user to exclude traffic from the tunnel for a specific subnet. If a user added any subnet using this option, the client adds routes via underlay (interface facing internet), so that traffic to those subnet does not enter the tunnel. To exclude subnets, issue the VersaSecureAccessClientConsole.exe service --exclude_subnets IP-address CLI command. To reset subnet exclusion, issue the VersaSecureAccessClientConsole.exe service --reset_exclude_subnets IP-address CLI command.
- You can uninstall registered profiles by issuing the VersaSecureAccessClientConsole.exe --uninstall_profiles CLI command.
Fixed Bugs
- When you enable IPv6, Systray fails to automatically reconnect.
Release 7.7.2
Released January 12, 2023
New Features
There are no new features in this release.
Fixed Bugs
- Registration to portal fails due to improper exception handling while connecting to Versa Cloud Gateways (VCG) running VOS Releases 20.2 and later or 21.2 and later.
Release 7.7.1
Released December 23, 2022
New Features
There are no new features in this release.
Fixed Bugs
- When client authentication token expires, cannot perform autoconfiguration synchronization on MDM-enrolled devices.
- Client incorrectly displays OS type as Windows 10 on Windows 11 devices.
- When displaying the Connection Status screen, UI automatically navigates to the main screen.
- When a user logs in to a computer in sleep mode, client displays the incorrect status.
Release 7.7.0
Released October 26, 2022
New Features
- Add support for endpoint information profile (EIP) from the secure access server side—A Versa endpoint information profile (EIP) can classify endpoints based on multiple types of endpoint posture information. To protect the endpoints in an enterprise network, you can create EIP profiles, which define rules that allow the VOS SASE software to filter information from endpoint device traffic and then match information to enforce security policy. Endpoint information ensures that remote hosts maintain and adhere to enterprise security standards before they access your network resources. You can configure a notification that alerts users about the reason for access denial and another that allows users to access the installation program for the missing software. To configure EIP, you create three building blocks for each tenant from the VOS software:
- EIP agent—Define the conditions that the SASE client uses to filter information from endpoint devices. When you configure a SASE portal policy, you associate the agent profile with the enforcement action in the policy.
- EIP objects—Define the match criteria to use in an EIP profile. The match criteria filter the raw data reported by endpoint devices.
- EIP profiles—Collect the EIP objects, which are the match criteria, into a profile that is evaluated together for monitoring and for enforcing security policy for SASE portals and gateways.
After registration of endpoint devices, the SASE client collects device information based on the EIP agent profile associated with the SASE portal policy and reports this information to the SASE gateway. The gateway evaluates the information and enforces the associated security policy. For example, you can create an EIP agent profile to verify if endpoint devices have installed the mandatory antivirus software. If the SASE client finds a device that has not installed the mandatory software, it does not allow the user to connect to the enterprise network and displays a message to install the software.
The frequency of how often the client collects and reports data depends on the posture check interval configured in the secure access profile. You can use multiple classification criteria to categorize and identify endpoint posture.
EIP is enabled by default for the SASE client. To disable EIP, issue the VersaSecureAccessClientConsole.exe service --enable_eip false CLI command. To re-enable EIP, issue the VersaSecureAccessClientConsole.exe service --enable_eip true CLI command.
Fixed Bugs
There are no bug fixes in this release.
Release 7.6.2
Released September 29, 2022
New Features
There are no new features in this release.
Fixed Bugs
- Client connection is not reset when a user with admin privileges performs diagnostics when the client is connected. (Bug 82060)
- Route is not installed in SASE client after gateway connection in SASE client Release 7.5.10 for the 32-bit version of Windows 10. (Bug 82101)
- SASE client connection does not transfer from a non-optimal static gateway to a dynamic VCG when a ping to a newly deployed optimal dynamic gateway fails after the first probe. (Bug 85424)
- Tunnel monitoring feature does not work as expected. (Bug 86331)
- Blank screen displays while loading SAML page during connection or registration. (Bug 86415)
- Cannot select different verbosity levels in SASE client. (Bug 86478)
- Fetching of UUID in personal laptops and registration fails. (Bug 86510)
- Allow users to attempt connection between failed reconnect attempts. (Bug 86528)
- When edit gateway is True, enabling or disabling Always On does not trigger Systray monitor on or off. (Bug 86695)
- Password eye Icon not visible when you change the focus and then focus again on the password field. (Bug 86716)
- Authentication failure message does not display when you enter an incorrect password during auto-preregistration. (Bug 86720)
- Page title does not display connection text when connecting after profile sync for local user authentication. (Bug 86721)
- Update the text for successfully saving a password. (Bug 86722)
- Client hangs during OTP verification. (Bug 86756)
Release 7.6.1
Released September 12, 2022
New Features
There are no new features in this release.
Fixed Bugs
- Tunnel IP address not chosen for discover gateway call. (Bug 85618)
- Update administrator privileges to disable IPv6 during migration. (Bug 85753)
- Add support for predefined include and exclude domains. (Bug 85777)
- Enhance user deny action for SAML. (Bug 85787)
- SAML page does not have back navigation. (Bug 85915)
- Handle RAS client events that are null. (Bug 85916)
- Application connect sync lock issue.
- Probe optimal gateway with preferred IP address.
Release 7.6.0
Released September 2, 2022
New Features
- Add support for portal-based configuration (Version 2).
- Enhance how configuration and state are to encrypted files to avoid tampering.
- When connecting to a dynamic optimal gateway, the client establishes a new connection with a lower metric without disconnecting the old tunnel. The old or non-optimal tunnel automatically disconnects in 30 minutes.
- To configure the non-optimal gateway disconnect time, issue the VersaSecureAccessClientConsole.exe client --sub_optimal_gateway_disconnect_delay delay-time-in-seconds CLI command.
- Automatic reconnection occurs only when the optimal gateway is disconnected.
- Add support for TWAMP.
- Add support to use a session token for API calls, if required.
- Add support for the Microsoft Edge browser, which is used for SAML authentication if the client detects that the Edge browser is available. If the Edge browser is not found, the default browser is used.
- Add support for domain-based or FQDN-based inclusion or exclusion. Add NRPT rules based on the domain or FQDN. (Bug 84342)
With support for domain inclusion and exclusion, existing configurations from the server are treated as FQDNs. These configurations must be reviewed and updated on the server. The following examples show the formats to use for configuring domains or FQDNs:
- Domains—.versa-networks.com, .microsoft.com
- Domains with different top-level domains (TLDs) (in this case, NRPT rules are not supported)—.microsoft, .amazon
- FQDNs—www.teams.com, www.microsoftonline.com
- FQDNs with different TLDs (in this case, NRPT rules are not supported)—www.teams, www.microsoftonline.
- Add support to connect to a hot-standby gateway during a group connect.
- Multifactor authentication support, for client certificate-based authentication.
- CLI support to hide admin mode from the UI:
- To hide admin mode, issue the VersaSecureAccessClientConsole.exe --enable_admin_mode false CLI command.
- To show admin mode again, issue the VersaSecureAccessClientConsole.exe --enable_admin_mode true CLI command.
- Add support to log restricted access events to the Windows Event Viewer.
- Add support for server alerts with server-based trusted network detection.
Fixed Bugs
There are no bug fixes in this release.
Release 7.5.12
Released August 10, 2022
New Features
- Support for sharing QR code over email.
- Auto-sync during auto-reregister when lifetime expires.
- FIPS support for IPsec layer.
Fixed Bugs
- WCF service does not respond. Also, client does not connect and unable to access Troubleshoot screen.
- Unpredictable behavior because of LiteDB issues. This has been fixed by removing LiteDB usage to save the service state.
- Application performance improvement.
Release 7.5.11
Released July 15, 2022
New Features
There are no new features in this release.
Fixed Bugs
- FAIL-CLOSE mode restricted access is revoked shortly after disabling. (Bug 82670)
- Logo URL does not work. (Bug 82671)
- Sys-tray and the client are shown as connected, but DNS resolution is not performed. (Bug 82719)
- Client encounters Temporary Redirect message during connect or registration. (Bug 82843)
- Register request is sent in loop if server responds with 403 on auto-reregister. (Bug 82850)
- Decode and print RasClient error descriptions are logged in RAS event listener logs (versa_secure_access_service_ras_events.log).
Release 7.5.10
Released June 10, 2022
New Features
- Add support for semitrusted mode—In previous releases, when the client detects reachability to a configured trusted host, it skips establishing tunnel to the SASE gateway, because the CPE at the trusted site establishes a secure tunnel to the SASE gateway. In semitrusted mode, the SASE client establishes a tunnel to the SASE gateway even when a trusted host is reachable without the tunnel. You use semitrusted mode in deployments where the site or branch CPE does not have a secure tunnel connection to the SASE gateway. The client establishes a tunnel to the gateway for all traffic expect for traffic to trusted subnets.
To enable semitrusted mode, issue the VersaSecureAccessClientConsole.exe service --enable_semi_trusted_mode true CLI command.
To configure trusted subnets that bypass the tunnel, issue the VersaSecureAccessClientConsole.exe service --trusted_subnets subnet-ip-address CLI command. - Add support for Windows 32-bit platforms (Windows 7 and Windows 10). Note that the following features are not supported on the 32-bit platform:
- Application split tunnel
- Domain-based split tunnel
- Fail-close mode
- Strict full tunnel (all traffic entering the tunnel including that to directly connected subnets)
- For Windows 7, NRPT rules are not supported; name resolution is based on DNS servers on network interfaces.
- Enhancement to resolve excluded domains through the underlay DNS server.
- Enhancements to live diagnostics to collect the system state when a connection fails. The following information is logged:
- IP configuration of all interfaces
- Route table information
- DNS NRPT rules and cache
- Reachability to default gateway of the active interface
- Reachability to DNS server on the active interface
- Reachability to all registered portal FQDNs
- Hosts file entries
- Improve connect and disconnect operation performance by changing how NRPT rules are programmed and by parallelizing post-connect and disconnect operations.
- Improve handling of keepalive failure—If system is in trusted mode and keep alive fails, client checks if connect is required in case of always-on.
Fixed Bugs
- Issue with automatic detection of trusted network when cookie is not enabled. This issue has been fixed.
- The client fails to reapply FAIL_CLOSE if network connectivity is lost in a trusted network. This issue has been fixed.
- Custom logo is not displayed after you enable app-based split tunnel. This issue has been fixed.
- Excluded domains are not excluded during registration. This issue has been fixed.
- User credentials are saved in Windows Credential Provider in plain text when Remember Credentials is enabled and authentication method is LDAP or Local User. This issue has been fixed.
- Windows crashes because of a race condition when other applications in the system use the WFP driver to inspect packets. Following Microsoft guidelines, the code has been modified to handle the race condition.
- When the underlay network changes, the routes through underlay that are installed for excluded domains and the gateway FQDNs are not cleared. This issue has been fixed.
- Use an authentication token when available for config-sync with the portal.
- Application UI shows overlapping messages during connect. This issue has been fixed.
- Non-admin users can enable admin mode and can override the always-on and fail mode configurations. This issue has been fixed.
- FAIL_CLOSE mode no longer excludes full domains, and it excludes only FQDNs from profiles (for example, trusted host, gateway URL, registrar URL, and log URL). If the trusted host is an IP address, that IP address is added in an allow list in FAIL_CLOSE mode.
- Client reports a zero RTT towards the gateway because of a failure in the execution of the API that measures latency. This issue has been fixed.
- Add an additional check for best gateway selection logic during group connect to perform discover API and to deselect gateways that fail the discover API.
- On detecting a trusted network detection, fail mode is set to open. If the user deletes the account (from Versa Client UI > Settings > enterprise-name > Delete Account) while in trusted network, the fail mode is not restored. This issue has been fixed.
- Client registration to the portal fails in FAIL_CLOSE mode because the portal FQDN is not in an allow list. This has been fixed
Release 7.5.9
Released February 26, 2022
New Features
- When a user connects to a gateway in full tunnel mode, you can allow or block directly connected subnets by issuing the VersaSecureAccessClientConsole.exe" service --exclude_direct_subnet (true|false) CLI command.
- Websocket support over TLS to receive Cloud Access Security Broker (CASB) server alerts
Fixed Bugs
- Fix to connect to the best gateway that instantiates dynamically. When a user connects to a group of gateways and optimal gateways are currently not available, the client sends a query to the secure access portal to check whether a new dynamic gateway is instantiated. When the client receives information from the portal about a new gateway, it reregisters and connects to the new dynamic gateway.
- In FAIL_CLOSE mode, when a Windows device user connects using prelogon (from a locked screen) to the gateway, with the connection timeout set to 5 minutes, and when the user logs in to the Windows device and registers the SASE client and connects again, both the prelogon tunnel and the user tunnel remain active. After the timeout (5 minutes), the prelogon tunnel disconnects and sets the system to FAIL_CLOSE mode. This also blocks all DNS traffic. This issue has been fixed so that as long as the user tunnel is up, the system continues to operate in NORMAL mode.
- In FAIL_CLOSE mode, when a SASE client is not registered with any account, registration to the portal fails. This issue has been fixed.
- While the client is in trusted networks, keepalive checks are performed frequently. If a keepalive check fails and all the retries also fail, the user is requested to perform forced authorization. This issue has been fixed.
Release 7.5.8
Released December 8, 2021
New Features
- Disable IPv6—You can disable IPv6 support using the --disable_ipv6 true CLI command.
- Set default FQDN and enterprise name in the first-time registration screen using the following CLI commands:
- To set the default FQDN, issue the --set_default_portal_fqdn fqdn CLI command.
- To reset the default FQDN, issue the --set_default_portal_fqdn " " CLI command.
- To set the default enterprise name, issue the --set_default_enterprise_name enterprise_name CLI command.
- To reset the default enterprise name, issue the --set_default_enterprise_name "" CLI command.
- When you set the default FQDN and enterprise name, the client displays these values in the register UI of the client.
- MDM certificate lookups includes LocalMachine/Intermediate and CurrentUser/Personal.
- Re-authorize user credentials when requested by the server.
- Block DNS traffic in FAIL_CLOSE mode, except for the traffic required to establish a gateway connection.
- Driver functionality enhanced to intercept traffic only in FAIL_CLOSE mode or in normal-mode with application or domain in a split tunnel configuration
Fixed Bugs
- Remote kernel pool overflow in DNS name parsing. (Bug 73707)
- Lack of synchronization in IOCTL handler causes memory safety issues. (Bug 73708)
- Local kernel pool controlled overflow in IOCTL handler. (Bug 73709)
- .XPC does not use audit token. (Bug 73710)
- Denial of service through read access violation in IOCTL handler. (Bug 73711)
- Driver does not enforce access controls over IOCTL requests. (Bug 73714)
- System-wide denial of service because of malicious DNS packet. (Bug 73715)
- Allow domain or IP address functions only after restarting the VSA service. (Bug 76137)
- Fix bugs with optimal gateway connect.
- Select group by default after registration
- The IP address for underlay interface was not renewed when performing ipconfig/release and then ipconfig/renew in FAIL_OPEN or NORMAL mode, because the IP address was blocked in kernel.
- When you delete and reregister an account, the connection to an existing VPN gateway fails if the enterprise name changes. This has been fixed by making interface names (a combination of the enterprise name and the gateway) case-insensitive.
Release 7.5.7
Released September 16, 2021
New Features
- Disable restricted mode (FAIL-CLOSE) driver mode for a specified time.
- Display gateway information when connected to a group in the Connected Status > Details window.
- Servers renamed to SASE Gateways.
Fixed Bugs
- Client crashes when connecting when IP stickiness is turned on.
- Empty page without any progress message displays after SAML authentication.
- Clear NRPT rules, DNS suffix search lists, and Versa host entries when the client is uninstalled while connected to a gateway.
- Timer refresh issue after successful connect.
- Navigate to the exact window for API call exceptions.
- Include driver state in logs sent to technical support.
- Handle driver state better when Windows starts or stops.
- Block internet users when the system detects trusted mode because of a FAIL-CLOSE
Release 7.5.6
Released August 16, 2021
New Features
There are no new features in this release.
Fixed Bugs
- Failed to connect error displays during pre-logon.
- Notification tray displays wrong status when device resumes from sleep mode
Release 7.5.5
Released August 4, 2021
New Features
- Application and domain-based traffic steering—Turn split tunnel on or off using a toggle button. You can also enable or disable application and domain-based traffic steering issuing the VersaSecureAccessClientConsole.exe service --enable_apptunnel [true | false] CLI command. See Enable an Application-Based Split Tunnel in Use the Versa SASE Client Application.
- Enable FAIL-OPEN, FAIL-CLOSE, and NORMAL modes when tunnel is established:
- FAIL-OPEN—Internet is accessible with or without a VPN connection.
- FAIL-CLOSE—Internet is accessible only when a VPN is connected
- NORMAL—AppDNSTunnel driver is not involved in internet access.
- Switch between FAIL-OPEN and FAIL-CLOSE modes using the following CLI commands:
- Enable FAIL-OPEN—VersaSecureAccessClientConsole.exe service --fail_open_mode
- Enable FAIL-CLOSE—VersaSecureAccessClientConsole.exe service --fail_close_mode
- Allow or reset selected domains or IP addresses during FAIL-CLOSE mode. In FAIL-CLOSE mode, you can allow access to certain domains and IP addresses using the following CLI options.
- VersaSecureAccessClientConsole.exe service --allow_domains comma-separated-domain-names
- VersaSecureAccessClientConsole.exe service --allow_ips comma-separated-IP-addresses
To reset the domain and IP address values, issue the following commands:
- VersaSecureAccessClientConsole.exe service --reset_domains
- VersaSecureAccessClientConsole.exe service --reset_ips
Fixed Bugs
- Error occurs when multiple gateways return same latency during group connect.
- Issue in detecting server-driven trusted network.
- Different states displayed in UI and systray during trusted network detection.
- Systray aborts retry after first attempt if server does not respond.
- Missing information in connection details.
- Edit Gateway screen UI fixes.
- Traffic steering prefixes and DNS screen UI fixes.
Release 7.4.7
Released July 20, 2021
New Features
- Support FIPS mode, to enable systemwide FIPS policy and allow only FIPS supported ciphers for TLS communication. To enable FIPS mode, issue the VersaSecureAccessClientConsole.exe client --enable_fips_policy true CLI command. To disable FIPS mode, issue the VersaSecureAccessClientConsole.exe client --enable_fips_policy false CLI command. This command disables the application FIPS policy and system FIPS policy (if enabled by VSA application) and resets the system to the earlier state.
- Use custom port number along with FQDN—During registration, users can specify a custom port number along with FQDN in the format fqdn:port-number.
Fixed Bugs
- Connection being dialed already error RAS [633]. This issue has been fixed.
- Updated TOTP screen UI hint.
- Error displays when multiple gateways return same latency during group connect.
Release 7.4.6
Released July 2, 2021
New Features
- Pool IP stickiness—To enable IP stickiness, which stores the tunnel IP address provided during a connection and requests the same IP address for subsequent connections to the same gateway, issue the VersaSecureAccessClientConsole.exe --ip_stickiness CLI command. When connecting to the best gateway when IP stickiness is enabled, the client chooses the previously connected gateway if it is available in the optimal gateway list and if latency of this gateway is within the permitted range compared to the best. To customize latency, issue the VersaSecureAccessClientConsole.exe --ip_stickiness_latency CLI command.
- Tunnel monitoring with DNS server ping test.
- Diagnostic support for RASMAN and SSTP service start issue.
- Allow temporary disconnect while always-on profile is connected. Reconnect automatically after a configured time interval.
- Periodically send metric information to the SASE portal.
- Connect to the second IP address when the first IP address is not reachable, and connect to an IPv4 address when an IPv6 address resolves to the SASE portal and gateway.
- Update CA chain, regardless of the certificate order received from the gateway during registration.
- Include system sleep and resume events in logs.
- Show alternative action for users in the error message when the client cannot communicate with the SASE portal.
- When users synchronize profiles and then connect, avoid two prompts to enter credentials when Remember Credentials is false and authentication token is disabled.
Fixed Bugs
- Missing information in connection details.
- If FQDN is invalid (does not resolve to and IP address) during registration, client navigates to the home page and displays an error message instead of staying on the same page.
Release 7.4.5
Released June 8, 2021
New Features
- Support Windows 7, 64-bit
Fixed Bugs
- Issues with OTP failures and incorrect OTP entry while connecting.
- Improve SAML browser emulation registry to better render the SAML page
Release 7.4.4
Released May 27, 2021
New Features
- Export logs to USB flash drive for technical support in pre-logon mode.
- Graceful reconnect for connections with SAML authentication.
- Users can interact and reconnect from the UI when the connection is lost.
Fixed Bugs
- Fixed pre-logon connect issue.
- Reconnect issues with invalid or no authentication token.
- Unexpected exception handling of timer ticker.
- Synchronize UI, Systray, and Windows when Windows restarts.
- IPC issues between processes on systems in non-English locations.
- IPC issues in reading and updating configurations and state.
Release 7.4.3
Released May 14, 2021
New Features
- Include event viewer logs in log export to technical support
Fixed Bugs
- Unstable connection during graceful reconnect when system wakes from sleep mode.
- Fix issues with tunnel state inconsistencies in UI and Systray.
- Implement a recovery mechanism to reestablish communication between the client and Windows Communication Foundation (WCF) when the WCF service does not respond.
- Add delay between graceful reconnect attempts. Earlier, continuous attempts to reconnect sometimes exhausted retries. With the delay, reconnection chances are greater when the system is up.
- Failure displays if route and DNS installation fails or Windows service does not respond during VPN connect. Service recovery attempt is performed on a best-effort basis by resetting the listening of service. This issue has been fixed
Release 7.4.2
Released April 19, 2021
New Features
- Select best gateway based on proximity of the client to the gateway, gateway load, and the latency between the client and the gateway. See Configure the Versa SASE Client To Select the Best Gateway.
- Autosynchronize periodically with the VSA portal to receive updated profiles.
- Graceful autoreconnect—Automatically restore connection when network comes back up after an outage.
- Detect captive portal and automatically display captive portal window.
- Always-on connectivity—Allow preregistered or authorized clients to connect to the VSA gateway without user intervention. See Enable Always-On in Use the Versa SASE Client Application.
- Detect trusted networks and perform tunnel bypass.
- Notify Windows connect or disconnect events
Fixed Bugs
There are no bug fixes in this release.
Request Technical Support
To request technical support, visit http://support.versa-networks.com. If you are contacting support for the first time, register and create an account. You can also send email to support@versa-networks.com or contact your Versa Networks sales account team.
This is anonymous content.